swift: CVE-2013-2161: Unchecked user input in Swift XML responses

Debian Bug report logs - #712202
swift: CVE-2013-2161: Unchecked user input in Swift XML responses

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: swift: CVE-2013-2161: Unchecked user input in Swift XML responses

Date: Fri, 14 Jun 2013 06:46:25 +0200

Package: swift
Version: 1.4.8-2
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for swift.

CVE-2013-2161[0]:
Unchecked user input in Swift XML responses

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161
    http://security-tracker.debian.org/tracker/CVE-2013-2161
[1] http://marc.info/?l=oss-security&m=137114289207688&w=2
[2] https://bugs.launchpad.net/swift/+bug/1183884

Please adjust the affected versions in the BTS as needed.

(Looks this alone does not need a DSA, but the issue could also be
fixed in a update trough a stable-proposed-update.)

Regards,
Salvatore

Message #10 received at 712202-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 712202-close@bugs.debian.org

Subject: Bug#712202: fixed in swift 1.8.0-6

Date: Fri, 12 Jul 2013 05:48:30 +0000

Source: swift
Source-Version: 1.8.0-6

We believe that the bug you reported is fixed in the latest version of
swift, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 712202@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated swift package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 28 Jun 2013 15:33:19 +0800
Source: swift
Binary: python-swift swift swift-proxy swift-object swift-container swift-account swift-doc
Architecture: source all
Version: 1.8.0-6
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 python-swift - distributed virtual object store - Python libraries
 swift      - distributed virtual object store - common files
 swift-account - distributed virtual object store - account server
 swift-container - distributed virtual object store - container server
 swift-doc  - distributed virtual object store - documentation
 swift-object - distributed virtual object store - object server
 swift-proxy - distributed virtual object store - proxy server
Closes: 712202 715452
Changes: 
 swift (1.8.0-6) unstable; urgency=low
 .
   [ Thomas Goirand ]
   * Renamed all init script with .init extension in the debian folder, so it is
     more easy to list them with ls.
   * Added upstart scripts.
   * Added myself and Julien in debian/copyright for the packaging, plus
     Canonical for the upstart jobs.
   * Removes unwanted python-webob (build-)depends (Closes: #715452).
 .
   [ Julien Cristau ]
   * CVE-2013-2161: Check user input in XML responses (closes: #712202)
Checksums-Sha1: 
 0b17a090dc9b9e9806474937815d19e2955f8e00 1961 swift_1.8.0-6.dsc
 679d422b0ae3062e30ccea1bebd05c341af77d9d 20893 swift_1.8.0-6.debian.tar.gz
 b2719d5ddedf3ad85ca648d63444753d0a7a5fdb 180142 python-swift_1.8.0-6_all.deb
 279ff5a8d1ab45d3c68a31d52311dbf5dcbefd91 50006 swift_1.8.0-6_all.deb
 ace290a9aabfeac448b09c077e626f66c1e9f6f4 33840 swift-proxy_1.8.0-6_all.deb
 375c4b8f0f23b9011dc04ad4706538dcc6f0eae9 32816 swift-object_1.8.0-6_all.deb
 10a95791cdb35a160e6e9d1ff0ff35e8a85bb206 27020 swift-container_1.8.0-6_all.deb
 a2f71a21df6fcfdcdd29255e70e60c00f011ffd4 28660 swift-account_1.8.0-6_all.deb
 8932f4856808763cdc82ad33a75eeaa1c527f94c 211746 swift-doc_1.8.0-6_all.deb
Checksums-Sha256: 
 58a2274a6145137a46d2f43c4dc68d67d3da8df7391464a1f4abe6db6a5749ba 1961 swift_1.8.0-6.dsc
 c88cf016eafcece689b618e264101a28fe539d8d2289fe7c1f4596a7bbf93a55 20893 swift_1.8.0-6.debian.tar.gz
 c784353ae860f2085840e6776d425a2e67e88f28ff45249a981b43deccc66654 180142 python-swift_1.8.0-6_all.deb
 adc0b7764ad4ab152d10bcb1c6f904eef2b1d618b34a617117a4f8f6a51895a5 50006 swift_1.8.0-6_all.deb
 c69655cda9c0265084b1a2c89a10545026049424ada24d47e46acbf605af9a0f 33840 swift-proxy_1.8.0-6_all.deb
 9d5866edfa7b1c0d77c8f063c4d15b6fdf29cdcff9d5bf60d853b54f5a8ca38b 32816 swift-object_1.8.0-6_all.deb
 4c4932ee8b01a7fd7320842c423c4360c7216d8c612184797514787a5acd53a0 27020 swift-container_1.8.0-6_all.deb
 022a5814430c4c4af502a44e24803a83d01fe22c8e10c814d00de84efd9c8a7f 28660 swift-account_1.8.0-6_all.deb
 a9dd30780185489a268e1f0cbafd9e6e5b61c0787802374526cba1fcce8a0e70 211746 swift-doc_1.8.0-6_all.deb
Files: 
 87d65e7d304082f4b31d6be70900a8c3 1961 net optional swift_1.8.0-6.dsc
 1463a1bc26206d1b560f73402cff985e 20893 net optional swift_1.8.0-6.debian.tar.gz
 e1dcd7abc63526d6296f54cd2d956d3d 180142 python optional python-swift_1.8.0-6_all.deb
 efbcb31371267975205db9b8f02295c9 50006 net optional swift_1.8.0-6_all.deb
 dbea80c76f41fc99e0afa8455d04b3c0 33840 net optional swift-proxy_1.8.0-6_all.deb
 8d2a5035dfa52f326138f933e62922d5 32816 net optional swift-object_1.8.0-6_all.deb
 f5e804c2330fce041500381fe0fcc5a2 27020 net optional swift-container_1.8.0-6_all.deb
 7d2a63b1919379cfc7d12e319ed7aa87 28660 net optional swift-account_1.8.0-6_all.deb
 bc20b5689535a19e0b29b15edd190abf 211746 doc optional swift-doc_1.8.0-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHfmSUACgkQl4M9yZjvmkmQVwCfTMehMrEpET4BDhlZn96yYyif
9WsAoOSeggL7bZ0GHQOajddQ6r0Iohz7
=cRu0
-----END PGP SIGNATURE-----

Message #15 received at 712202-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 712202-close@bugs.debian.org

Subject: Bug#712202: fixed in swift 1.4.8-2+deb7u1

Date: Wed, 14 Aug 2013 21:17:11 +0000

Source: swift
Source-Version: 1.4.8-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
swift, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 712202@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated swift package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Jul 2013 13:54:33 +0800
Source: swift
Binary: python-swift swift swift-proxy swift-object swift-container swift-account swift-doc
Architecture: source all
Version: 1.4.8-2+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 python-swift - OpenStack Object Storage - libraries
 swift      - OpenStack Object Storage - common files
 swift-account - OpenStack Object Storage - account server
 swift-container - OpenStack Object Storage - container server
 swift-doc  - OpenStack Object Storage - documentation
 swift-object - OpenStack Object Storage - object server
 swift-proxy - OpenStack Object Storage - proxy server
Closes: 712202 719008
Changes: 
 swift (1.4.8-2+deb7u1) wheezy-security; urgency=high
 .
   * CVE-2013-2161: Applied fix for unchecked user input in Swift XML responses
     (Closes: #712202).
   * CVE-2013-4155: Backported fix for Denial of Service using superfluous
     object tombstones (Closes: #719008).
   * Updated debian/gbp.conf to track Wheezy fixes.
Checksums-Sha1: 
 a0f8c4bc97078453361956e1041838f4163c347b 1831 swift_1.4.8-2+deb7u1.dsc
 b3ccd10902f9aa3432f02a6a0f89ed5a10e6b3ae 304096 swift_1.4.8.orig.tar.xz
 986a092d9bbfbcaea7cd534bf3b0beb0511cbffa 21179 swift_1.4.8-2+deb7u1.debian.tar.gz
 370be64932459c545e282ecd4b557c5c13b1984e 166230 python-swift_1.4.8-2+deb7u1_all.deb
 99fd01b0ffda6c3fed2200024ae8561077d4858f 41604 swift_1.4.8-2+deb7u1_all.deb
 37c0557289654b24f6d210a99e34538991fd0780 12704 swift-proxy_1.4.8-2+deb7u1_all.deb
 d2ff33959ef90f57a92835982b617667895e954a 13036 swift-object_1.4.8-2+deb7u1_all.deb
 b0436205f144963d124ce8921f4fda7786e4a608 11368 swift-container_1.4.8-2+deb7u1_all.deb
 9f23260c937015828203c735d89d37bbf9405c6e 11524 swift-account_1.4.8-2+deb7u1_all.deb
 dd5ffa91a9c8859d5bd8bbd5c56f99a27697ac6b 255802 swift-doc_1.4.8-2+deb7u1_all.deb
Checksums-Sha256: 
 da67ff95c99e4522676d0e0be175326c9b3039455ccef55f4bfddee4e830ab48 1831 swift_1.4.8-2+deb7u1.dsc
 98c3596e0a35bc271d379d05f595c74c19de76d748b6a15873bb4ef5acaf92db 304096 swift_1.4.8.orig.tar.xz
 ae23b8c5056a46d54777b0e8cd1c31a93a0272485831073fd35f7c932e4c8f4b 21179 swift_1.4.8-2+deb7u1.debian.tar.gz
 5a76feca240b53592c3255a2bbc1acdd7cda03cc320ff153b90ee0d8d9ff477a 166230 python-swift_1.4.8-2+deb7u1_all.deb
 c854d077cacc9df9885586e4d3624847fcc3e86594dd84cd3923ff663cd2823a 41604 swift_1.4.8-2+deb7u1_all.deb
 3e07aee8a33cb1d3c589eb8863365d8e66f1bb4df616bd09ffb70fce395b7e46 12704 swift-proxy_1.4.8-2+deb7u1_all.deb
 893cee1630d1534d8ba1df0dc40b8017651209c9fe7bdd6ccf2bc89ba1de9975 13036 swift-object_1.4.8-2+deb7u1_all.deb
 f732b6250d0cce461fb03ab8b9ff65607eb6f37934fea74f349c0b65ce75568c 11368 swift-container_1.4.8-2+deb7u1_all.deb
 33418ea49db08898f1c5549e5a7e4f5f9d0a5cede336b4a76a70984eed6300d4 11524 swift-account_1.4.8-2+deb7u1_all.deb
 3aa30d2ed67cd69cac149036f863f15a693ba1696a514cec8a4a5a93163e010c 255802 swift-doc_1.4.8-2+deb7u1_all.deb
Files: 
 f368d5e3d33353d505c0af28ffa768ec 1831 net optional swift_1.4.8-2+deb7u1.dsc
 66eb01f5e14a68e33de910acddd76b8a 304096 net optional swift_1.4.8.orig.tar.xz
 c540a7c1039a322ff81763067b7b6fbb 21179 net optional swift_1.4.8-2+deb7u1.debian.tar.gz
 67c44018feec8e4f2c96cd177a20a4c7 166230 python optional python-swift_1.4.8-2+deb7u1_all.deb
 745f540450521d793d4f7a4fef9536b1 41604 net optional swift_1.4.8-2+deb7u1_all.deb
 f2e7c954a87246aced03f30e92fb9034 12704 net optional swift-proxy_1.4.8-2+deb7u1_all.deb
 07fd57d69b0630fec3d636ef95c07fb1 13036 net optional swift-object_1.4.8-2+deb7u1_all.deb
 1ee0cacfb6247803d50c142b27edbdcf 11368 net optional swift-container_1.4.8-2+deb7u1_all.deb
 486651afe7d8587dda8bad128ee052c1 11524 net optional swift-account_1.4.8-2+deb7u1_all.deb
 b8b2ce9623d09ddf0c08354d9f84d023 255802 doc optional swift-doc_1.4.8-2+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlID4fYACgkQl4M9yZjvmkntKACg5LgNjh4G3FWNUJUwpa5WYWJs
ptEAnRU3Qy1/fJH1BPSF9LObLbugTKQH
=0rfF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.